Generate SANs from jinja template

dddd714b · Alexander Käb · cea3b9e9 · dddd714b · dddd714b · dddd714b
Commit dddd714b authored 2 years ago by Alexander Käb
--- a/README.md
+++ b/README.md
@@ -64,4 +64,23 @@ cert_valid_days: 1095

 # The passphrase used for the CA file
 sidecar_ca_passphrase:
+```
+
+### SAN config
+
+To configure the SANs that will be added to the node certificates the following options
+are available. The FQDN and short name of the node will always be added. The settings
+below only apply to `IP` SAN entries.
+
+```yaml
+# Control the IP family to use
+use_ipv4: true
+use_ipv6: true
+
+# If set to true, the IP of the default route interface will be used
+use_default: true
+
+# If set to true, the IP of the provided interface name will be used
+use_interface_ip: false
+iface_name: ""
 ```
\ No newline at end of file
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -15,4 +15,12 @@ generate_node_certs: true
 tmp_cert_dir: "/tmp/graylog-sidecar-certs" # local directory
 gl_sidecar_ca_path: "/etc/graylog/sidecar"
 sidecar_cert_dir: "/etc/graylog/sidecar"
-cert_valid_days: 1095
\ No newline at end of file
+cert_valid_days: 1095
+
+# Cert SAN settings
+node_cert_sans: "{{ lookup('template', 'node-cert-sans.j2') }}"
+use_ipv4: true
+use_ipv6: true
+use_default: true
+use_interface_ip: false
+iface_name: ""
\ No newline at end of file
--- a/tasks/node-certs.yml
+++ b/tasks/node-certs.yml
@@ -39,11 +39,7 @@
      community.crypto.openssl_csr_pipe:
        privatekey_path: "{{ tmp_cert_dir }}/sidecar-{{ inventory_hostname }}.key"
        common_name: "{{ ansible_fqdn }}"  # CN
-        subject_alt_name:
-          - "DNS:{{ inventory_hostname }}"
-          - "DNS:{{ ansible_fqdn }}"
-          - "IP:{{ ansible_default_ipv6.address }}"
-          # - "IP:{{ ansible_default_ipv4.address }}"
+        subject_alt_name: "{{ node_cert_sans }}"
      register: "node_csr"

    - name: Node Certificates | Generate Certificates

--- a/templates/node-cert-sans.j2
+++ b/templates/node-cert-sans.j2
+{%- macro ansible_iface(name) -%}
+    ansible_{{name}}
+{%- endmacro -%}
+
+- "DNS:{{ inventory_hostname }}"
+- "DNS:{{ ansible_fqdn }}"
+{% if use_default == true -%}
+    {% if use_ipv4 == true and ansible_default_ipv4.address is defined -%}
+- "IP:{{ ansible_default_ipv4.address }}"
+    {% endif -%}
+    {% if use_ipv6 == true and ansible_default_ipv6.address is defined -%}
+- "IP:{{ ansible_default_ipv6.address }}"
+    {% endif -%}
+{% endif -%}
+{% if use_interface_ip == true -%}
+    {% if ansible_facts[ansible_iface(iface_name)] is defined -%}
+        {% if use_ipv4 == true and ansible_facts[ansible_iface(iface_name)].ipv4.address is defined -%}
+- "IP:{{ ansible_facts[ansible_iface(iface_name)].ipv6.address }}"
+        {% endif -%}
+        {% if use_ipv6 == true and ansible_facts[ansible_iface(iface_name)].ipv6.address is defined -%}
+- "IP:{{ ansible_facts[ansible_iface(iface_name)].ipv6.address }}"
+        {%- endif -%}
+    {%- endif-%}
+{%- endif -%}
\ No newline at end of file